Troubleshooting Certificate and Connection Errors in Cloud Connect

Common Causes and Solutions

• The connection to the Service Provider's Cloud Gateway(s) cannot be established using the default port TCP 6180.
  • Ensure that the TCP/UDP port 6180 is permitted for outbound traffic from the tenant environment (applicable only for stateful firewalls). If the firewall is stateless, a static rule needs to be added for the return traffic. 
  • Similar firewall exceptions for TCP/UDP 6180 should be applied in the service provider's firewall for traffic destined for each Cloud Gateway. 
  • Additionally, note that tenant-side proxies or repositories will connect directly to the Cloud Gateways during job runs.
• The certificate has expired and needs to be renewed.
• The certificate was incorrectly keyed during the CSR process and needs to be re-keyed, or the private key is missing entirely.
  • Ensure that the certificate, along with the private key, is installed on the SP Veeam Backup Server. It does not need to be installed on the Cloud Gateways if they are separate servers. The issued certificate, along with the private key, will be a file with a .pfx extension.
  • If your SSL certificate provider asks you to generate the PFX file using a private key that you have generated, as opposed to one they provide, it will be considered a security risk and will not be a supported configuration.
• The certificate chain has not been fully installed on the SP Veeam Backup Server, and as a result, the chain of trust cannot be established. The connection to the SP Veeam Backup Server will not be authenticated unless the Tenant Veeam Backup Server can validate a certificate that ends with a Root CA certificate.
  • Ensure that the certificate chain, which includes both subordinate (intermediate) and root CA certificates, is installed on the SP Veeam Backup Server. Typically, the SSL certificate provider includes the chain in a separate file with a .p7b extension.
• The Cloud Gateway(s) cannot resolve the SP Veeam Backup Server using DNS, or the Cloud Gateway(s) are unable to communicate internally or through the DMZ to the SP Veeam Backup Server.
  • Ensure that all Cloud Gateways can resolve the DNS for the SP Veeam Backup Server.
  • Disable any unused gateways.
• In some instances, a firewall may employ a form of adaptive security that filters SSL/TLS traffic. This is often referred to as "Deep Packet Inspection" (DPI), packet inspection, or SSL/TLS inspection. The use of these features can create a Man-in-the-Middle scenario involving the firewall, which may lead to issues when the certificate is exchanged with the Tenant Veeam Backup Server.